Monday, October 1, 2007

Bolting the Back Door with NAC Part 4: Deploying the Juniper Networks UAC 2.0

In this series, we have examined the business needs driving NAC (part 1 and part 2) and compared today's NAC architectures (part 3). Here in part 4, we show NAC in action by taking one TNC standards-based solution for a test drive: Juniper Network's Unified Access Control 2.0.

We implemented our planned scenarios with only minor adjustments, proving that UAC can be successfully deployed in a heterogeneous network without major upgrades. But, as our test progressed, we learned that Juniper is still working to expand client-side options. Customers who want to combine Juniper's IC 4000 with third-party Linux, Mac, or Vista TNC Clients must wait just a bit longer.

Assembling the pieces
Juniper's UAC solution is based on the multi-vendor TNC architecture described in part 3. Thus, our first task was to identify the TNC components already present in our lab network and decide how to combine them with Juniper's UAC products.

We chose Juniper's Infranet Controller (IC) as our TNC Policy Decision Point (PDP). The IC4000 is designed for medium enterprises and remote/branch offices with thousands of users. Big-brother IC6000 delivers additional capacity and high-availability. We tested the IC4000 ($10,000) with a 100-user license ($5,000). That price tag includes an integrated Steel-Belted Radius server and UAC Agent software.

To exercise multi-vendor interoperability, we used a mixture of 802.1X-capable switches (HP, D-Link) and APs (Colubris, Cisco) as TNC Policy Enforcement Points (PEPs). After discussion with Juniper, we mixed in their SSG5 firewall for more granular policy enforcement. Using a Juniper firewall, VPN, or IDP to enforce layer three policies was not strictly required to meet our goals, but let us tap more of UAC's potential.

Our TNC Network Access Requestors (NARs) fell into three categories:

* Staff with Windows XP/2000 laptops and installed UAC Agents
* Guests with agentless devices (including Vista, Linux, Mac, and WinMobile)
* Customers using any device, with or without an agent

Agentless endpoints that were redirected to the IC's login portal could optionally execute Juniper's Host Checker, an endpoint integrity scanner invoked via ActiveX or Java. We required our managed Windows endpoints to auto-install Juniper's UAC Agent, a persistent program that bundles an 802.1X Supplicant and TNC Client with proprietary extras: a personal firewall, IPsec VPN client, and Windows single-sign-on support.

We had hoped to authenticate managed non-Windows endpoints using third-party 802.1X Supplicants/TNC Clients, but found this is not currently possible. In UAC 2.0, the IC4000 expects the 802.1X Supplicant to send EAP-JUAC, Juniper's pre-standard take on EAP-TNC. We therefore had to admit our own Linux and PDA endpoints as agentless devices. According to Juniper, this limitation will be lifted when UAC 2.1 (3Q07) supports additional inner EAP types to be spoken by third-party TNC Clients.


http://www.isp-planet.com/technology/2007/nac_4.html

Thinking Outside The (Windows) Box,Part 3: Free Mail Clients

Over the past decade, electronic mail has become a mission critical business application, surpassing snail mail, phone calls, and paging to dominate inter-office communication. Enterprise employees are usually stuck with IT-mandated clients used with groupware servers like Microsoft Exchange, Novell GroupWise, and IBM Lotus Notes. But small business workers and home users are often free to choose their own mail clients.

Outlook Express is factory-installed on Windows PCs, but as discussed in Part 1 of this series, there can be better, safer, faster alternatives. Here in Part 3, we take a look at several free mail clients for Windows PCs: MemeCode i.Scribe, Mozilla Thunderbird, Opera Mail, Pegasus Mail, and Qualcomm Eudora.


This freeware mail client can be used on Windows 98, ME, NT, 2000, XP, Linux (2.4 or higher), and BeOS r5, requiring a minimum 1.2 MB disk and 6 MB RAM. We ran i.Scribe version 1.88 from a USB fob, inserted into a Windows XP SP1 PC.

Click to view larger imageThis compact, fast program supports POP3, (E)SMTP, and IMAP protocols, relayed through SOCKS or web proxies as needed. Integrated contact and calendar functions are also included (see figure at right). Extras like spell check, LDAP services, and GnuPG or SSL encryption can be added as plug-ins. Messages are viewed through a built-in HTML engine, but those who prefer to display mail with Internet Explorer can do so with a plug-in.

A Windows installer is available, but not really required. We just expanded the zip onto a 128 MB USB fob, ran the i.Scribe executable, replied to an initial mail folder prompt, and configured POP account settings. The freeware i.Scribe is limited to a one mail account; if you need multiple accounts or user identities, pay $20 to upgrade to InScribe.

Click to view larger imageThe i.Scribe mail client supports message formatting, labeling, threading, and prioritization. Decoder libraries for PNG and JPEG images can be added as plug-ins. Incoming mail is passed through a Bayesian Spam filter, but it is necessary to initialize this filter by manually classifying some spam to seed your banned "word list." (see figure at right). Spam messages must also remain in the spam folder indefinitely to enable list rebuilding—if you want to delete junkmail, you must do it yourself.

Click to view larger imageMail on a POP server can be previewed before deciding which messages to download or delete (see figure at left)—this is particularly useful for travelers on low bandwidth connections or public PCs. Freeware i.Scribe cannot pass messages through user-defined filters, although the commercial product InScribe can.

Mail message encryption and signature authentication can be added to i.Scribe by installing a GnuPG plug-in, although the current version cannot encrypt attached files. "Over the air" SSL protection for SMTP, POP, and IMAP can also be obtained by placing OpenSSL libraries in the same directory as the i.Scribe executable. Mobile users running i.Scribe can run OpenSSL by adding DLLs to the same USB fob, but GnuPG appears to require installed software.

The i.Scribe contact list can hold plenty of data, including GPG signatures and custom attributes. The list can be imported from various sources (e.g., text files, Outlook, Eudora, Thunderbird, Netscape), but importing a Eudora name database yielded mixed results—some addresses were truncated; others were not. The i.Scribe calendar function provides basic event scheduling with advance notification. A separate Groupware Server (currently freeware) can be used to share contacts and calendars with other users.

Overall, we found i.Scribe quick and easy to use. Although it has all the basics, i.Scribe does lack some fancy UI features found in other (arguably more complex) programs. If you're looking for a lightweight mail client to carry with you on USB, give i.Scribe a try.


http://www.isp-planet.com/technology/2006/secure_windows_3a.html


Thinking Outside The (Windows) Box,Part 4: Free Windows Firewalls

Since the birth of the public internet, host firewalls have been sound practice. But high-speed broadband and wireless access have heightened risk and accelerated demand. Today, providers like AOL include host firewalls in client software bundles. Many large enterprises routinely install security suites containing firewalls on employee laptops. Last year, Microsoft even rolled a personal firewall into Windows XP SP2.

Integrated firewalls like these are great for those who already use—or have the budget to buy—the associated commercial products. But some regional ISPs and small businesses prefer to recommend freely-available programs that are not tied to a specific OS patch or AV/VPN product. In this article, we take a brief look at five Windows firewalls that won't cost individuals a dime: Check Point ZoneAlarm, Comodo Personal Firewall, NetVeda Safety.Net, Primedius Firewall Lite, and Sunbelt Kerio Personal Firewall

ZoneAlarm runs on Windows 98/ME/2000/XP, with 50 MB disk and 128 MB RAM (XP). For this review, we tried the free-for-individual-use version of ZoneAlarm (v6.1.737), a bi-directional desktop firewall that can enforce network and program rules. The commercial ZoneAlarm Pro ($49.95, not tested) adds anti-spyware, e-mail virus scanning, pop-up blocking, and automated firewall configuration features.

After installation, ZoneAlarm uses a short wizard to create initial firewall rules. For example, if the user plans to surf the web, the wizard creates a rule that lets the default web browser (iexplore.exe) and a related OS program (svchost.exe) access the Internet.

Click to view larger imageThose initial rules can be added, changed, or deleted over time, at the user's request, whenever new applications attempt to use the Internet, or whenever new networks and unsolicited inbound traffic are detected. When each new situation is encountered, pop-up alerts prompt the user to choose whether to allow the activity once or forever (see figure at right). Novices can click an advice URL to view descriptions of programs commonly associated with filenames or ports, and learn whether they are likely to be trustworthy or malicious.

This learn-as-you-go approach makes ZoneAlarm seem awfully chatty—perhaps even a bit intrusive—for the first day or two of use. But once rules are created, these alerts die down and you may even forget that the firewall is there until something unusual occurs. If these alerts bug you, a less-secure learning mode can be used to silently auto-create rules as new programs run. To prevent trusted programs from being abused (e.g., overwritten by trojans), it is recommended that users run in high security mode. Unfortunately, that mode is only available in the Pro version.

Dig a little deeper, and you'll find that ZoneAlarm applies rules at two levels: firewall (network) and program (application). Program rules determine server (inbound) and access (outbound) permissions, depending upon whether a packet's origin/destination is located in the "trusted" or "Internet" zone. For example, the default web surfing rule gives IE "access" permission for both the trusted and Internet zones. If IE should load a web page with active content that unexpectedly opens a listening port, ZoneAlarm would ask whether IE should be given "server" permission as well.

Click to view larger imageServer programs should often accept requests from the local LAN (e.g., home or office network) but not from outsiders (e.g., public Internet or Wi-Fi hotspot). This is where ZoneAlarm "zones" come into play, letting you treat specified networks or hosts as trusted (see figure at left).

By default, all adapters are placed in the Internet zone, with security set to high—the host operates in "stealth" mode, ignoring all unsolicited inbound requests. Trusted zone security defaults to medium, permitting Windows file and printer sharing. Any zone's security can also be set to low, disabling the firewall for subnets and hosts in that zone. Zone rules can be fine-tuned to permit DNS/DHCP in high security mode, or block servers altogether. However, you won't find granular protocol/port-level control in the free version of ZoneAlarm—for example, you cannot allow inbound ICMP ping but not ICMP redirect.

Click to view larger imageZoneAlarm lets you see what's happening in several ways (see figure at right). First, Internet In/Out gauges give a rough idea of traffic flow. Second, a series of program icons identify programs currently using network services. Third, a log of firewall and program alerts is maintained, so that you can determine which activity has been permitted or blocked by ZoneAlarm. Novices may never even look at the ZoneAlarm log. But we believe that a detailed log like this is essential to enable problem diagnosis. Without it, users could be tempted to disable the firewall when programs are blocked, reverting to unsafe operation instead of adjusting firewall rules.

The free version of ZoneAlarm also alerts when AV stops running and can quarantine VB scripts received in e-mail. Many additional e-mail, privacy, and spyware defenses can be found in the Pro version, available by itself or in combination with sibling Anti-Spyware and Anti-Virus programs. Multi-user licenses are available in small business versions of ZoneAlarm. Zone Labs has been refining these firewalls for years, building a reputation in the market. The free ZoneAlarm is aimed at home users who really need GUI simplicity and alert advice. Users with more granular firewall requirements will need to spring for Pro or try another firewall.


http://www.isp-planet.com/technology/2006/secure_windows_4a.html